Mutual auth with GRPC & Node: start to finish

Oct 27, 2017

Setting up mutual authentication can be a little daunting, especially when the
docs for a library you’re using don’t always have a good example. Top it off
with having to make your own certificates, and the whole process can be a real
PITA! To make it easier, we’re going to be using a tool from the great people
at Square, certstrap. If you’ve ever
used the easyrsa utility bundled with OpenVPN, it will feel very familiar as
it makes generating your own PKI
much simpler than manually using OpenSSL.

Generating a root certificate authority

The client and server will both trust the same, private root certificate. We’re
generating this manually for this example but you could alternatively use an
existing PKI, for example from a MS Windows Server Domain Controller.

Find a release of certstrap for your operating system from their
releases page. Once you’ve
downloaded the binary, rename it to something more convenient and make it
executable (if applicable).

As you can see above, we’ve now generated the main certificate that we’ll be
trusting on both the client and the server (out/Snazzy_Microservices.crt).

Generating a server certificate

The hostname of the server’s certificate will be validated upon connection so
ensure that the common name and DNS name match the hostname of your service.
Generating a server certificate for your services is as easy as:

Full example

Troubleshooting

If at any stage the above doesn’t work, try turning on verbose logging:

export GRPC_TRACE=all
export GRPC_VERBOSITY=DEBUG
node server

Other considerations

To distribute certificates and keys to hosts, you could either bake them into
a virtual machine image, pull them down from a central store (e.g. S3 with
encrypted objects and restrictive permissions) or store the keys in your source
code repository and decrypt them at runtime.

As you may have noticed above, we’ve not specified any expiration dates and we
have no method of revoking certificates. If this is a concern for you, you
could set a short expiration date on client / server certificates and frequently
rotate them or load balance your GRPC servers behind another server that
includes revocation checks (e.g. nginx).